|
|
Hi Kent, I apologize for the delay in response. We held off until after we had a meeting with SEI/CERT-CC, NIST NVD, and US-CERT during which some of the applicable topics were discussed. As a side note, anything affected by those discussions
is reflected in our response below. Although, to be honest, I don’t believe anything we talked about impacted anything we discussed during the Board meeting. I’ll depend on CERT-CC and NIST NVD people to correct me if needed. To your questions. In rough order: - The CVE Governance Final Drafts will be published “soon.” ;-) Seriously, we expect them back to the Board for final review and comments before the end of June. - Our recollection of the mid-summer discussion was somewhat different. We understood that MITRE had been tasked to write up an initial thoughts (possibly even design) relating to a federated scheme for managing vulnerability IDs. Subsequent
to delivery of that draft, we would have a workshop-style Board meeting of up to several days, during which the Federated Vulnerability ID scheme draft would be discussed and refined. That meeting was penciled in as mid-July to avoid summertime conflicts.
Details such as who would host, exact dates, etc. weren’t discussed during the Board meeting at RSA. - Despite having noted our impression as being different than what you came away with, we’re all for expanding the purpose of the meeting to dig deeper into the topics you listed. - We are all for getting going on the planning for the meeting, and agree that a timed agenda should be discussed and developed. To move this forward, we have some questions and need some information from the Board membership: - Does anyone want to volunteer to host the mid-summer meeting? Having just looked at our online meeting space system, I can say that securing MITRE meeting space is essentially impossible, both in Bedford and McLean. - How many Board members hope to attend in person? I think that the nature of a workshop means there will be substantial white-boarding, which could make full participation from remote locations difficult. We are completely open to suggestions
and assistance from the Board for proposals and/or alternatives. - For starters, shall we posit the week of July 20th? Depending on travel needs and so forth, we could plan for three full days of meetings and still have Monday and Friday (or Thursday evening) as travel days. (As a reminder, Black
Hat begins August 1st, so that would give people a week in between.) We could use a Doodle poll to pick dates and finalize.
Please let us know your thoughts re: the above. Best Regards, The MITRE CVE Team From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Landfield, Kent Hi All, This has been a relatively quiet list lately. ; -) Since our F2F at RSA I was hoping to see what the status was on a couple of the items discussed there. Steve Christie discussed governance documents that were expected “soon”. (just poking. ;-)) What I’m really interested in is the proposed event MITRE discussed holding sometime this summer. I think we targeted July
but that was to be determined. The purpose of the proposed event was to discuss various topics important to the future CVE. The following are from my F2F notes about the event. Topics
Smart Cities initiatives
d. General / consumer IoT devices
3.
Content decisions needed – documentation
4. Planning implementation of decided actions / road-mapping. So my questions are:
·
Are we planning on having the event ? If so when / where / how many days?
·
Should we start developing an agenda so we are focused in our efforts? The intent of the workshop was to roll up your sleeves and address the hard problems facing CVE’s future today. Still planned? Just want to make sure I have no conflicts and can reserve the appropriate dates for this and this alone… Thanks. Kent Landfield +1.817.637.8026 |